In SOAR settings under alert groupings - you can do quite a few different modifications as to how you want alerts grouped.  Multiple alerts in a specific time frame will end up in the same case and would get sent to an overflow case if it kept triggering. I’d suggest coming up with a mechanism or two to trigger tests and then modify those settings according to your needs. 

@Rafaeleite2  You can control alert grouping by navigating to SOAR Settings -> Advanced -> Alert Grouping. Here, you can specify the entities you want to group alerts by, such as Source IP, Username, or Assignment Group. This setup will help group relevant alerts into a single case based on the entities you choose.

Once your grouping is set up, if you need to trigger only one alert per case, attach your playbook exclusively to the first alert. To do this, use the Find First Alert action (found in Playbook Actions -> Tools -> Find First Alert). This ensures that the playbook triggers only once for each grouped case.

Hope this helps! Let me know if you have further questions.

Another approach:

Leave Alert Grouping enabled
At the beginning of every Alert have a Block "AmIFirst" (I have attached a copy of mine, I have added some blocks that start "ZZ_" as pseudo logic for you to consider and build out)

In this block:
If an Alert is first in the case, then you create a ticket in ITSM and store the ITSM ID at a Case value [case.itsmID]
If the Alert is not first in the case, then update ITSM to add a comment "new alert auto grouped"
etc

Edit - I can't attach my Block, DM me to work out how to distribute


HTH